Make the dist builds reproducible

This change adds pinned constraints to the PEP 517 based distribution package build process by adding a pip-tools managed lock file. It is also auto-updatable by GitHub Dependabot.
cherrypy · Dec 9, 2021 · 5c1ac08 · 5c1ac08 · webknjaz · Dec 22, 2021
1 parent ac040f8
commit 5c1ac08
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 0 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,4 +1,6 @@
 [build-system]
+# NOTE: Keep this in sync with `requirements/dist-build-constraints.in`
+# NOTE: at all times.
 requires = [
     # Essentials
     "setuptools>=34.4",

diff --git a/requirements/dist-build-constraints.in b/requirements/dist-build-constraints.in
@@ -0,0 +1,12 @@
+# NOTE: Keep this in sync with `pyproject.toml -> [build-system] -> requires`
+# NOTE: at all times.
+
+# Essentials
+setuptools >= 34.4
+
+# Plugins
+setuptools_scm[toml] >= 3.5
+setuptools_scm_git_archive >= 1.1
+
+# Dynamic (coming from setuptools' PEP 517 build backend)
+wheel
diff --git a/requirements/dist-build-constraints.txt b/requirements/dist-build-constraints.txt
@@ -0,0 +1,24 @@
+#
+# This file is autogenerated by pip-compile with python 3.10
+# To update, run:
+#
+#    pip-compile --allow-unsafe --output-file=requirements/dist-build-constraints.txt --strip-extras requirements/dist-build-constraints.in
+#
+packaging==21.3
+    # via setuptools-scm
+pyparsing==3.0.6
+    # via packaging
+setuptools-scm==6.3.2
+    # via -r requirements/dist-build-constraints.in
+setuptools-scm-git-archive==1.1
+    # via -r requirements/dist-build-constraints.in
+tomli==1.2.2
+    # via setuptools-scm
+wheel==0.37.0
+    # via -r requirements/dist-build-constraints.in
+
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==59.5.0
+    # via
+    #   -r requirements/dist-build-constraints.in
+    #   setuptools-scm
diff --git a/tox.ini b/tox.ini
@@ -48,6 +48,7 @@ setenv =
 
 [dists]
 setenv =
+  PIP_CONSTRAINT = {toxinidir}/requirements/dist-build-constraints.txt
   PEP517_OUT_DIR = {env:PEP517_OUT_DIR:{toxinidir}/dist}
 
 
@@ -199,11 +200,20 @@ commands =
 
 
 [testenv:build-dists]
+allowlist_externals =
+  env
 description =
   Build dists and put them into
   the `{env:PEP517_OUT_DIR}/` folder
 depends =
   cleanup-dists
+# NOTE: The custom command is here to allow resetting the global
+# NOTE: pip constaints env var.
+platform = darwin|linux
+install_command =
+  env PIP_CONSTRAINT= \
+    {envpython} -m \
+    pip install {opts} {packages}
 isolated_build = true
 # `usedevelop = true` overrides `skip_install` instruction, it's unwanted
 usedevelop = false